Misdection by rule ID 92603 (Linux audit rules)

[Antti Backman]

Hi Wazuh team

I've encoutered minor misdection by the default Linux rules which leads to somewhat misleading (low level) alert detection,

  <rule id="92603" level="6">
    <if_group>audit</if_group>
    <field name="audit.command" type="pcre2">scp</field>
    <field name="audit.file.name" type="pcre2">.+</field>
    <description>A file was copied to this system over SSH using SCP.</description>
    <mitre>
      <id>T1021.004</id>
    </mitre>
  </rule>

Audit log entry (removed identification information, so not complete entry):

type=SYSCALL msg=audit(1684830095.121:355662): arch=c000003e syscall=59 success=yes exit=0 a0=7fac7131e8d0 a1=7fac7131e8e0 a2=7fac59d2ea48 a3=18 items=2 comm="lscpu" exe="/usr/bin/lscpu" key="audit-wazuh-c" type=EXECVE msg=audit(1684830095.121:355662): argc=1 a0="/usr/bin/lscpu" type=CWD msg=audit(1684830095.121:355662):  type=PATH msg=audit(1684830095.121:355662): item=0 name="/usr/bin/lscpu" inode=8519865 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(1684830095.121:355662): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=16798443 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=PROCTITLE msg=audit(1684830095.121:355662): proctitle="/usr/bin/lscpu"

So using 'lscpu' command leads to level 6 alert "A file was copied to this system over SSH using SCP."

To me this is somewhat confusing, I won't go changing the default rules shipped with Wazuh, but wanted to let you know if in some future release this could be fine tuned.

//Antti

[Awwal Ishiaku]

Hi Antti, 

Thanks for bringing this to our attention.

We have detected a similar issue earlier and our developers are working on a fix.

The fix will be available in the near future.

Regards.